[AusNOG] security policies on a juniper srx110

Luca Salvatore Luca at ninefold.com
Tue Oct 16 13:26:04 EST 2012

Have you setup some traceoptions?  They will show you what going on.  Something like:

set security flow traceoptions file flow-trace
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter 1 source-prefix x.x.x.x
set security flow traceoptions packet-filter 1 destination-prefix y.y.y.y

Make sure the address in the security policy matches the NATed address also....


-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Peter Brown
Sent: Tuesday, 16 October 2012 1:14 PM
To: ausnog at lists.ausnog.net
Subject: [AusNOG] security policies on a juniper srx110

Hi everyone,

I am still having trouble getting destination nat and security policies working on my srx110.
I am reasonably sure the nat is working because i am seeing translation hits in the monitoring section of the web interface.
I am not seeing anything in the security policies however.
>From all the documentation I have ready I have the nat and policies setup correctly but I am obviously missing something.

Is there something else that sites between destination nat and policies that would stop the traffic from even hitting the security policies?

Thanks in advance.

AusNOG mailing list
AusNOG at lists.ausnog.net

More information about the AusNOG mailing list